Which two possible drawbacks should you consider when introducing Network Functions Virtualization in a network design? (Choose two)
A. Bandwidth utilization increases
B. Traffic flows are suboptimal
C. High-end routers are required to support NFV
D. OpenFlow must be supported in the network
E. An SDN orchestration layer is required to support NFV
Explanation:
1. Bandwidth Utilization Increases (A)
Why?
NFV decouples network functions (e.g., firewalls, load balancers) from hardware, running them as virtualized instances (VNFs).
Traffic must now traverse additional virtual switches/overlays (e.g., between VNFs), increasing east-west traffic and bandwidth usage.
Example: A packet might pass through multiple VNFs (firewall → IDS → load balancer), adding latency and bandwidth overhead.
2. Traffic Flows Are Suboptimal (B)
Why?
NFV can lead to hairpinning (traffic taking indirect paths between VNFs).
Without proper service chaining, traffic may loop through inefficient paths.
Example: A packet might go VM → hypervisor switch → VNF 1 → hypervisor switch → VNF 2 instead of a direct path.
Why Other Options Are Incorrect?
C) High-end routers are required → False. NFV runs on commodity servers, not specialized routers.
D) OpenFlow must be supported → False. NFV doesn’t mandate OpenFlow (it’s SDN-specific).
E) SDN orchestration is required → False. While SDN helps, NFV can work with traditional orchestration (e.g., MANO).
Reference:
ETSI NFV Architecture: Highlights bandwidth and flow challenges in VNF service chaining.
Cisco NFV Design Guide: Recommends SR-IOV and smart NICs to mitigate performance issues.
A multinational enterprise integrates a cloud solution with these objectives
• Achieve seamless connectivity across different countries and regions
• Extend data center and private clouds into public clouds and provider-hosted clouds
What are two outcomes of deploying data centers and fabrics that interconnect different cloud networks? (Choose two.)
A. enhanced security
B. data and network ownership
C. ability to place workloads across clouds
D. centralized visibility
E. unidirectional workload mobility across the cloud
Explanation:
1. Ability to Place Workloads Across Clouds (C)
Why?
Interconnecting data centers and fabrics (e.g., via AWS Direct Connect, Azure ExpressRoute, or Cisco ACI Multi-Site) enables hybrid/multi-cloud workload placement.
Workloads can dynamically move between on-premises, private cloud, and public cloud based on cost, latency, or compliance needs.
2. Centralized Visibility (D)
Why?
A unified fabric (e.g., Cisco SD-WAN, VMware NSX) provides single-pane-of-glass monitoring for traffic across all clouds.
Enables consistent security policies, performance analytics, and troubleshooting globally.
Why Other Options Are Less Relevant?
A) Enhanced security → Security depends on implementation (e.g., encryption, zero-trust), not just interconnectivity.
B) Data/network ownership → Ownership is a contractual/legal issue, not a technical outcome of interconnection.
E) Unidirectional workload mobility → False. Modern clouds support bidirectional workload migration (e.g., VMware HCX, Azure Arc).
Reference:
Cisco Multi-Cloud Design Guide: Highlights workload portability and visibility.
AWS Well-Architected Framework: Recommends centralized monitoring for hybrid clouds.
Which three components are part of the foundational information security principles of the CIA triad? (Choose three.)
A. cryptography
B. confidentiality
C. authorization
D. identification
E. integrity
F. availability
Explanation:
The CIA Triad: Core Principles of Information Security
B) Confidentiality
Ensures data is accessible only to authorized users.
Examples: Encryption, access controls.
E) Integrity
Guarantees data is accurate and unaltered during storage/transmission.
Examples: Hash checks, digital signatures.
F) Availability
Ensures systems/data are accessible when needed.
Examples: Redundancy, DDoS protection.
Why Other Options Are Incorrect?
A) Cryptography: A tool to achieve confidentiality/integrity, not a principle.
C) Authorization & D) Identification: Part of access control, but not CIA triad fundamentals.
Reference:
NIST SP 800-12: Defines CIA as the cornerstone of security.
ISO/IEC 27001: Aligns security controls with CIA.
Which effect of using ingress filtering to prevent spoofed addresses on a network design is true?
A. It reduces the effectiveness of DDoS attacks when associated with DSCP remarking to Scavenger.
B. It protects the network Infrastructure against spoofed DDoS attacks.
C. It Classifies bogon traffic and remarks it with DSCP bulk.
D. It filters RFC 1918 IP addresses.
Explanation:
Why Ingress Filtering Prevents Spoofed DDoS Attacks?
How It Works:
Ingress filtering blocks packets with illegitimate source IPs (e.g., spoofed or bogon addresses) at the network edge.
Example: If an attacker tries to send traffic with a fake source IP (like a victim’s IP), the filter drops it.
Impact on DDoS:
Prevents reflection/amplification attacks (e.g., NTP, DNS amplification) that rely on spoofed IPs.
Reduces the volume of malicious traffic reaching internal resources.
Why Other Options Are Incorrect?
A) DSCP remarking to Scavenger (QoS) is unrelated to ingress filtering.
C) Ingress filtering drops bogon traffic (doesn’t classify/remark it).
D) While it can filter RFC 1918 addresses, this is not its primary purpose (focus is on spoofing).
Reference:
RFC 2827 (Network Ingress Filtering): Best Practices for anti-spoofing.
Cisco SAFE Security Guide: Recommends ingress filtering for DDoS mitigation.
Which two control plane policer designs must be considered to achieve high availability? (Choose two.)
A. Control plane policers are enforced in hardware to protect the software path, but they are hardware platform dependent in terms of classification ability.
B. Control plane policers are really needed only on externally facing devices.
C. Control plane policers can cause the network management systems to create false alarms.
D. Control plane policers must be processed before a forwarding decision is made.
E. Control plane policers require that adequate protocols overhead are factored in to allow protocol convergence.
Explanation:
1. Hardware Enforcement & Platform Dependency (A)
Why?
Control plane policers are often implemented in hardware (ASICs) to offload the CPU and prevent resource exhaustion.
However, their classification capabilities (e.g., granular rate-limiting per protocol) vary by hardware platform.
Example: Some switches can police BGP/OSPF separately, while others lump all control traffic together.
2. Protocol Overhead for Convergence (E)
Why?
Overly aggressive policing can starve routing protocols (e.g., BGP, OSPF) of bandwidth, causing slow convergence or flapping.
Design must account for baseline protocol needs (e.g., 1% of interface bandwidth for OSPF).
Why Other Options Are Incorrect?
B) Control plane policers are needed internally too (e.g., to protect against misbehaving hosts or loops).
C) False alarms are a monitoring issue, not a design principle.
D) Policers act after forwarding decisions (to filter traffic destined for the CPU).
Reference:
Cisco IOS XR Control Plane Protection (CoPP) Guide: Hardware policer limitations.
RFC 6192 (Protecting the Router Control Plane): Recommends reserving bandwidth for protocols.
Which three items do you recommend for control plane hardening of an infrastructure device? (Choose three.)
A. routing protocol authentication
B. SNMPv3
C. Control Plane Policing
D. redundant AAA servers
E. warning banners
F. to enable unused services
Explanation:
1. Routing Protocol Authentication (A)
Why?
Prevents unauthorized routers from injecting fake routes (e.g., OSPF/BGP spoofing).
Uses MD5/SHA hashing or IPsec for secure neighbor adjacencies.
2. SNMPv3 (B)
Why?
Provides encryption (AES) and authentication for SNMP traffic, unlike SNMPv1/v2 (plaintext).
Blocks attackers from exploiting SNMP to reconfigure devices or extract data.
3. Control Plane Policing (CoPP) (C)
Why?
Rate-limits traffic sent to the CPU (e.g., ICMP, SSH, routing updates) to prevent DoS attacks.
Example: Blocks excessive ARP requests from overwhelming the router.
Why Other Options Are Less Critical?
D) Redundant AAA servers → Important for availability, not direct control-plane hardening.
E)Warning banners → Legal compliance, not security hardening.
F) Enable unused services → Insecure! Best practice is to disable unused services.
Reference:
Cisco IOS Hardening Guide: Mandates CoPP, SNMPv3, and routing auth.
NIST SP 800-123: Recommends disabling unused services.
Which main IoT migration aspect should be reviewed for a manufacturing plant?
A. Sensors
B. Security
C. Applications
D. Wi-Fi Infrastructure
E. Ethernet Switches
Why Security is the Top Priority?
Risks in Manufacturing IoT:
Industrial IoT (IIoT) devices (e.g., sensors, robots) are prime targets for cyberattacks, which can disrupt production or cause safety hazards.
Examples: Stuxnet malware, ransomware targeting SCADA systems.
Key Security Considerations:
Device hardening: Default credentials, firmware updates.
Network segmentation: Isolate OT (Operational Technology) from IT networks.
Data encryption: Protect sensitive production data.
Why Other Options Are Secondary?
A) Sensors & C) Applications: Important but depend on security for safe operation.
D) Wi-Fi & E) Ethernet Switches: Infrastructure must be secured first (e.g., MAC filtering, VLAN segregation).
Reference:
NIST IR 8228 (IoT Cybersecurity): Prioritizes security for critical infrastructure.
IEC 62443 (Industrial Security Standards): Framework for manufacturing IoT.
What is the most important operational driver when building a resilient and secure modular network design?
A. Reduce the frequency of failures requiring human intervention
B. Minimize app downtime
C. Increase time spent on developing new features
D. Dependencies on hardware or software that is difficult to scale
Why This is the Top Priority?
Resilience & Automation:
A modular design aims to self-heal (e.g., automatic failover, redundant paths) to minimize manual troubleshooting.
Example: BGP/OSPF fast convergence, SD-WAN dynamic path selection.
Security Implications:
Fewer human interventions reduce configuration errors (a major cause of breaches).
Automated responses (e.g., DDoS mitigation, NAC) improve threat containment.
Operational Efficiency:
Frees IT teams to focus on proactive tasks (e.g., capacity planning) vs. firefighting.
Why Other Options Are Less Critical?
B) Minimize app downtime: A result of resilience, not a driver.
C) New features: Secondary to stability.
D) Scalability dependencies: Important but addressed by modularity itself.
Reference:
Cisco SAFE Architecture: Highlights automation for resilience.
NIST SP 800-160 (Systems Security Engineering): Links resilience to reduced human reliance.
Which management category is not part of FCAPS framework?
A. Configuration
B. Security
C. Performance
D. Authentication
E. Fault-management
Explanation:
FCAPS Framework (ISO Network Management Model)
FCAPS defines five core categories of network management:
Fault Management (E): Detects, logs, and troubleshoots network issues.
Configuration Management (A): Handles device setup and changes.
Accounting Management: Tracks resource usage (e.g., bandwidth, billing).
Performance Management (C): Monitors metrics like latency, throughput.
Security Management (B): Ensures confidentiality, integrity, and access control.
Why Authentication (D) is Not a Separate Category?
Authentication falls under Security Management (B), not as a standalone pillar.
FCAPS focuses on broader operational layers, not specific protocols like AAA (Authentication, Authorization, Accounting).
Reference:
ISO/IEC 7498-4 (FCAPS Standard): Original framework definition.
ITU-T M.3400: Expands on FCAPS for telecom.
What is a disadvantage of the traditional three-tier architecture model when east-west traffic between different pods must go through the distribution and core layers?
A. Low bandwidth
B. Security
C. Scalability
D. High latency
Explanation:
Why Traditional Three-Tier Architecture Adds Latency for East-West Traffic?
Traffic Path in Three-Tier Model:
East-West traffic (e.g., server-to-server communication between pods) must traverse:
Access Layer → Distribution Layer → Core Layer → Distribution Layer → Access Layer.
This hairpinning introduces extra hops, increasing latency.
Impact on Performance:
Each hop adds processing delay (routing/forwarding) and potential congestion at aggregation points.
Unsuitable for latency-sensitive applications (e.g., databases, microservices).
Why Other Options Are Less Accurate?
A) Low Bandwidth: Not inherent to the model—core/distribution layers are typically high-capacity.
B) Security: Traffic inspection at layers can enhance security (not a disadvantage).
C) Scalability: Three-tier scales vertically but struggles with horizontal scalability (not latency).
Reference:
Cisco Data Center Design Guide: Highlights latency as a key drawback of three-tier for east-west traffic.
Juniper QFX Series: Recommends leaf-spine for low-latency east-west flows.
Which actions are performed at the distribution layer of the three-layer hierarchical network design model? (Choose two)
A. Fast transport
B. Reliability
C. QoS classification and marking boundary
D. Fault isolation
E. Redundancy and load balancing
Explanation:
Key Roles of the Distribution Layer:
C) QoS Classification and Marking Boundary:
The distribution layer acts as the policy enforcement point for QoS.
It classifies, marks, and prioritizes traffic (e.g., VoIP, video) before sending it to the core.
Example: Marks DSCP values for WAN traffic.
E) Redundancy and Load Balancing:
Provides high availability through:
HSRP/VRRP (redundant gateways).
ECMP (equal-cost multipath for load balancing).
Ensures traffic is evenly distributed across uplinks to the core.
Why Other Options Are Incorrect?
A) Fast transport: Handled by the core layer (high-speed backbone).
B) Reliability: A result of redundancy (E), not a standalone function.
D) Fault isolation: Primarily an access-layer task (e.g., STP for loop prevention).
Reference:
Cisco Hierarchical Network Design Guide: Defines distribution layer roles.
RFC 2474 (QoS DSCP): Standards for traffic marking.
Which three tools are used for ongoing monitoring and maintenance of a voice and video environment? (Choose three.)
A. Flow-based analysis to measure bandwidth mix of applications and their flows
B. Call management analysis to identify network convergence-related failures
C. Call management analysis to identify CAC failures and call quality issues
D. Active monitoring via synthetic probes to measure loss, latency, and jitter
E. Passive monitoring via synthetic probes to measure loss, latency, and jitter
F. Flow-based analysis with PTP time-stamping to measure loss, latency, and jitter
Explanation:
1. Call Management Analysis (C)
Purpose:
Tracks Call Admission Control (CAC) failures (e.g., rejected calls due to bandwidth limits).
Identifies call quality issues (e.g., MOS scores, packet loss in VoIP).
Tools: Cisco Unified Communications Manager (CUCM) reports, SolarWinds VoIP Monitor.
2. Active Monitoring via Synthetic Probes (D)
Purpose:
Simulates traffic (e.g., SIP/RTP probes) to measure loss, latency, jitter proactively.
Tools: Cisco IP SLA, ThousandEyes.
3. Flow-Based Analysis with PTP (F)
Purpose:
Uses Precision Time Protocol (PTP) to timestamp flows for accurate latency/jitter measurement.
Analyzes real traffic patterns (e.g., NetFlow, IPFIX).
Tools: Cisco Stealthwatch, Riverbed.
Why Other Options Are Incorrect?
A) Flow-based analysis measures bandwidth mix, not call quality (too broad).
B) "Network convergence-related failures" are better detected via routing protocol monitoring, not call analytics.
E) Passive monitoring uses real traffic (not synthetic probes).
Reference:
Cisco Collaboration SRE (Voice/Video Monitoring Best Practices)
RFC 3550 (RTP): Standards for jitter/loss measurement.
| Page 2 out of 17 Pages |
| Previous |